On CHOW: Pour beer the right way
BNET Business Network:
BNET
TechRepublic
ZDNet

Talkback

Add your opinion
Laws of identity

Bob Artner of TechRepublic drills down on the seven laws of identity. Microsoft's chief identity architect Kim Cameron has proposed the laws as a way to think about authentication, security, digital identity and digital rights.

I'm Bob Artner for TechRepublic, and as we all know, there is a lot of conversation going online right now about authentication, security and the whole question of digital rights and digital access. And Kim Cameron, who is the Identity Architect at Microsoft has proposed something he calls "The Laws of Identity" as a way for us to think about digital identity, digital identification and authentication and I'm going to take these seven laws and really compress them but try to give you a sense for what he's talking about. What's his first law?

Basically, it's about consent. He says any digital right scheme or protocol or technology has to have the users consent at the heart, first and foremost. The user has to consent to that authentication.

Second, it has to be as minimal as possible. In other words, you need to give as little information as possible for that particular transaction that you're doing. If I'm sending an e-mail address to someone, you need to be able to verify that is in fact your e-mail address. But you don't need to give that person your street address, your social security number, your credit cards, your bank information. Some of that information might be required if you're doing e-commerce, but the principle for this law is, provide as little information as is possible under the circumstances.

And the next law is about justifiable access. In other words, if a person is going to be party to this conversation, this authentication, they need to have the need to have it. In other words, if you and I are talking, that's one thing. We couldn't authenticate with each other but do we have to authenticate with some big agency, a big clearinghouse, if the conversation is just between us and this all the time he says no. It's only people who have a real justified need to be involved.

Four, directed identity - this is a little more confusing but what Cameron means here is there's a distinction between uni-directional or public authentication. If I have a website, for example, that's a URL and that URL is public and everyone has access to it and everyone should be able to know who owns that URL and what it's about. On the other hand, my e-mail address is by it's nature more private and any conversation that happens between me as an individual to another individual is private and any authentication scheme needs to recognize the difference between those two kinds of things.

Fifth law. You know what, I'm going to put this in red because I think it's really important: pluralism. By this, Cameron means that there isn't going to be a central scheme or central technology or a central clearinghouse. That a real law of identity means that there needs to be multiple ways to do this, multiple partners, multiple technologies that need to work together to reduce the possible power and corrupting influence of a single overriding authentication clearinghouse.

Six, human integration. By this what Cameron means is the fact that our digital authentication involves a person sitting at a computer or in front of a terminal or in front of a mobile phone and we need to understand that there is a relationship between the device and an authentic human. So authentication schemes and technologies have to look at things like phishing and other types of scams and recognize that there's a human/machine interface here that we have to be cognizant of.

What's the last one? I think this one is really important too so I'm going to put this in red also: consistent experience. For doing authentication, for doing digital rights management in many different contexts, the consistent application has to be the same. In other words, if I'm providing information in one context, it needs to look similar, so that I have confidence that, "Oh, yes, this is the authentication part of what's happening now," and it doesn't vary from place to place or from application to application.

So you can see, these are seven laws that are really principles and what Cameron is trying to do is get a framework for how we can talk about this. And I'm not suggesting that he's right in every detail, but I am suggesting he's starting a conversation that I think is really important and all of us should be thinking about.